I have a machine with lighttpd and evhost setup. All the evhost contain various php apps like wordpress, drupal etc. If one of the php apps gets compromised the attacker will have access to all the php apps in evhost root. Is it possible to close each php app in a 'kind of chroot' and still enable sftp access to all evhosts (that is not to change their file permissions/set them separate owners)? The less effort the better, plus I don't want any solutions that involve restarting lighttpd after adding new php-app/vhost. If it's not possible - maybe there are some options that would enchance security a bit?
2 Answers
spawn-fcgi helps you to run the PHP interpreter in a chroot environment (and start it under another UID/GID). Examples for this can be found in the spawn-fcgi respectively the lighttpd wiki. With this method, however, you need to restart/reload lighttpd every time you add a new virtual host (or more precisely: the PHP configuration part of a virtual host).
This is definitely not an elegant solution, but you could possibly run a bunch of lighttpd instances, each one chrooted and then put them all behind a reverse proxy that routes the traffic appropriately.
At the very least, you could isolate some of the sites so that if one lighttpd instance is compromised, it only affects some vhosts and not the rest of them. So, assuming that you have 3 instances running, you can for example, split the vhosts among the three instances.
In fact, you may even want to consider using a mixture of web servers so that vulnerabilities that affect one may still be stopped by another.
Just something to consider, perhaps.
